About This Architecture

Active Directory Federation Services (ADFS) load-balanced architecture with external and internal tiers, DMZ perimeter, and dual ADFS nodes for high availability. Internet clients route through an external load balancer with SNAT and X-Forwarded-For headers to a Web Application Proxy (WAP) farm in the DMZ, which forwards authenticated requests to an internal load balancer VIP. Intranet clients connect directly to the internal load balancer, which distributes traffic across ADFS Node 1 and ADFS Node 2 behind the internal firewall boundary. This multi-tier design enforces network segmentation, protects ADFS servers from direct internet exposure, and ensures redundancy for federated authentication. Fork this diagram on Diagrams.so to customize firewall rules, add additional ADFS nodes, or integrate with your organization's identity topology. The WAP farm acts as a reverse proxy, enabling secure federation while maintaining strict trust boundaries between the DMZ and secure internal network.

People also ask

How should I architect ADFS with load balancers and firewalls for secure federated authentication?

This diagram shows a production ADFS topology using an external load balancer with SNAT and X-Forwarded-For to route internet clients through a WAP farm in the DMZ, then to an internal load balancer VIP distributing traffic across dual ADFS nodes. This design enforces network segmentation, protects ADFS servers from direct exposure, and provides redundancy for enterprise federated identity.